[Cryptography] Kali Linux security is a joke!

Alfie John alfiej at fastmail.fm
Tue Mar 17 15:31:17 EDT 2015

On Wed, Mar 18, 2015, at 05:32 AM, Viktor Dukhovni wrote:
> On Mon, Mar 16, 2015 at 12:07:08PM -0700, Henry Baker wrote:
> > So how come whenever you do apt-get in Kali Linux, it accesses
> > http://security.kali.org and http://http.kali.org
> All Debian-style repositories use HTTP, not HTTPS which makes them to
> mirror.  The Release files are GPG signed by the distribution
> maintainers.  The distribution keys should be part of the base
> installation media.  Of course if you bootstrap via PXE, your MiTM
> attack starts there (the turtle at the bottom of the stack).
> > Hasn't Kali heard about MITM attacks against http.
> I would take some time to study the "apt" security model.  It is not
> perfect, but the use of http is not a significant problem.

An issue with HTTP for apt is information leak. People listening on the
wire will know what software you're installing on machines.


  Alfie John
  alfiej at fastmail.fm

More information about the cryptography mailing list